Duckdns - not secure

Craig01988 · July 12, 2021, 10:13am

Hi,

I can no longer use the HA companion app becauce Duckdns/lentecrypt is showing as not secure.
So I’m using
Rpi4
HA version:core-2021.7.1
DuckDNS version: 1.12.5

My duckdns config is as follows:

  accept_terms: true
  lets_encrypt.accept_terms: true
  certfile: /ssl/fullchain.pem
  keyfile: /ssl/privkey.pem
token: #######################################
domains:
  - #######1.duckdns.org
  - #######2.duckdns.org
aliases: []
seconds: 300

I have http set in my config.yaml as:

  ssl_certificate: "/ssl/fullchain.pem"
  ssl_key: "/ssl/privkey.pem"
  ip_ban_enabled: true
  login_attempts_threshold: 5

The cert from my browser looks like this:

but Duckdns addon log shows:

[10:24:14] INFO: Renew certificate for domains: #####.duckdns.org
abbotsleigh4.duckdns.org and aliases: 
# INFO: Using main config file /data/workdir/config
Processing abbotsleigh4.duckdns.org with alternative names: ######.duckdns.org
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Oct  9 09:26:03 2021 GMT Certificate will not expire
(Longer than 30 days). Skipping renew!
[10:29:18] INFO: OK
92.0.16.31
NOCHANGE

Any idea on how I can make it secure and use the HA companion app again?

Prodigyplace · July 12, 2021, 12:11pm

Today is 07/12/2021.How did you generate a cert with the start date AFTER the expire date?? It is not valid until September 4th but then it is also expired.

koying · July 12, 2021, 12:22pm

Be careful that out of the US, it’s 12/7/2021 and that 9/4 is 9th April

Prodigyplace · July 12, 2021, 1:00pm

I looked at that quickly but coffee had not fully kicked in.

koying · July 12, 2021, 3:47pm

OP, would you happen to have a “ssl” directory under “/ssl”?

The addon seems to copy the certificate to /ssl/<certfile>, so, as you specified “/ssl/” on the duckdns configuration (while it was not needed), I suspect your valid certificate / private key are actually in /ssl/ssl.

Try

  ssl_certificate: "/ssl/ssl/fullchain.pem"
  ssl_key: "/ssl/ssl/privkey.pem"
  ip_ban_enabled: true
  login_attempts_threshold: 5

Craig01988 · July 12, 2021, 5:17pm

Thanks, If I try that and check conf I get

Invalid config for [http]: not a file for dictionary value @ data['http']['ssl_certificate']. Got '/ssl/ssl/fullchain.pem'
not a file for dictionary value @ data['http']['ssl_key']. Got '/ssl/ssl/privkey.pem'. (See /config/configuration.yaml, line 17).

koying · July 12, 2021, 5:21pm

Can’t you just go and check what is in /ssl?
I don’t have a crystal ball to see what’s happening on your system

Craig01988 · July 12, 2021, 6:40pm

I don’t have shell or smb access . The samba add on doesn’t seem to work for me. I can see home assistant on my network but it’s not accesible

koying · July 12, 2021, 6:43pm

Let’s go random, then

Try

  ssl_certificate: "/ssl/ssl/fullchain.pem"
  ssl_key: "/ssl/privkey.pem"
  ip_ban_enabled: true
  login_attempts_threshold: 5

Craig01988 · July 12, 2021, 9:11pm

I just get

Invalid config for [http]: not a file for dictionary value @ data['http']['ssl_certificate']. Got '/ssl/ssl/fullchain.pem'. (See /config/configuration.yaml, line 17).

I have managed to get the SSH addon to work and that shows:

ls
addons backup config media share ssl
cd /ssl
ls
fullchain.pem privkey.pem wireguard

koying · July 12, 2021, 9:48pm

Ok. Next, try removing the “/ssl/” from your duckdns config and reverting configuration.yaml to what you had originally

Craig01988 · July 13, 2021, 8:00am

Well that turned out to be a relatively simple fix! Thanks!